Skip to main content
HashnodeCyber Hunter

Command Palette

Search for a command to run...

The Infinite Consultation: How a Business Logic Flaw Led to Unlimited Free Vet Appointments

Updated
3 min read
K
kristofprzybylak

In cybersecurity, we often hunt for complex technical bugs. However, some of the most fun vulnerabilities aren’t found in the code's syntax, but in its Business Logic. I discovered a Medium-severity flaw (initially reported as High) that allowed me to reuse a "one-time" free consultation voucher indefinitely.

This discovery earned a $1,000 bounty and highlights a crucial lesson: The UI is a suggestion, but the API is the law.

The Scenario

A platform offers users a free veterinary video consultation via a promotional token from a partner. The logic seemed straightforward:

  1. You book an appointment using your free token.

  2. You can cancel and reclaim your token up until 60 minutes before the start time.

  3. Within the final 60 minutes, the user interface (UI) removes the "Cancel" option, as the vet is already preparing for the call.

The Vulnerability: UI Limitations vs. API Reality

While the "Cancel" button disappeared from the website as expected, the underlying API endpoint (/cancel-booking) remained active and unprotected by time-gate logic.

By manually sending a DELETE request to the API, I uncovered a synchronisation failure:

  1. The Recall: I sent a manual cancellation request just one minute before the call was set to begin.

  2. The Refund: The system processed the cancellation and immediately returned the free token to my account.

  3. The Ghost Session: Because the video link had already been generated and emailed to me, the third-party video service remained active. I could still join the call and speak with the vet, even though the system officially marked the appointment as "Cancelled" and gave me my credit back.

Step-by-Step Reproduction

  1. Book a video consultation using a free promotional voucher.

  2. Wait for the final confirmation email containing the meeting link.

  3. Bypass the UI: Instead of looking for a button on the site, use a tool like Burp Suite or a simple cURL command to send a DELETE request to the API using your bookingId.

  4. The Exploit: Observe that your token is refunded, allowing you to book a second free appointment immediately, while the original meeting link still lets you enter the call.

The Impact

The financial and operational impact of this logic flaw was significant:

  • Promotion Abuse: A "one-time" marketing offer becomes an unlimited free service.

  • Resource Drain: Professional veterinarians are reserved for "ghost" appointments that appear cancelled in the system, potentially leading to lost revenue and scheduling chaos.

The Fix

Preventing logic flaws requires strict server-side synchronization:

  • Server-Side Time Checks: The API must independently verify if the current time is within the allowed cancellation window, regardless of what the UI shows.

  • State Synchronization: When an appointment is cancelled, the system must send a "kill" signal to the video provider to invalidate the meeting link immediately.

Conclusion

This bug serves as a reminder to always test the "obvious" boundaries. When a feature disappears from the screen, it doesn't necessarily mean it has disappeared from the server. By thinking like a user but acting like an API, you can find gaps that automated scanners will always miss.

Summary of the Finding:

  • Type: Business Logic Error / Broken Access Control

  • Severity: Medium (5.3)

  • Bounty: $1,000

#bugbounty#burpsuite#hacking#bounty#cyberhunter
56 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Cyber Hunter

2 posts